On 11/13/2013 04:51 PM, Chen Hanxiao wrote:
> From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
>
> If we enable userns, we could bind mount
> some dirs from host to guest, which don't belong to
> the target mapped uid/gid.
>
> Such as we could bind mount root's dirs to guest.
> What is worse, we could even modify root's files
> in that bind dir inside container.
If this happend, this problem should be a generic permission
problem. it should be fixed in kernel.
>
> So if we couldn't know
> the dir's ownership(without a proper uid/gid mapping),
> don't mount it.
>
> Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> ---
> v2: add more description
>
> src/lxc/lxc_container.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 255c711..4cf209e 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -96,6 +96,8 @@
> typedef char lxc_message_t;
> #define LXC_CONTINUE_MSG 'c'
>
> +#define OVERFLOW_UGID 65534
> +
> typedef struct __lxc_child_argv lxc_child_argv_t;
> struct __lxc_child_argv {
> virDomainDefPtr config;
> @@ -1073,6 +1075,22 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs,
> if (virAsprintf(&src, "%s%s", srcprefix, fs->src) < 0)
> goto cleanup;
>
> + if (stat(src, &st) < 0) {
> + virReportSystemError(errno, _("Unable to stat bind source %s"),
> + src);
> + goto cleanup;
> + } else {
> + if (OVERFLOW_UGID == st.st_uid || OVERFLOW_UGID == st.st_gid) {
> + errno = EPERM;
> + VIR_DEBUG("Unknown st_uid %d, st_gid %d for %s",
> + st.st_uid, st.st_gid, fs->src);
> + virReportSystemError(errno,
> + _("Check the permission of src dir '%s' provided for container")
> + ,fs->src);
> + goto cleanup;
> + }
> + }
> +
> if (stat(fs->dst, &st) < 0) {
> if (errno != ENOENT) {
> virReportSystemError(errno, _("Unable to stat bind target %s"),
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list